IETF Logo Mail Archive

Re: [homenet] [EXT] securing zone transfer

"Ray Hunter (v6ops)" <v6ops@globis.net> Wed, 12 June 2019 12:35 UTC

Return-Path: <v6ops@globis.net>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91613120182 for <homenet@ietfa.amsl.com>; Wed, 12 Jun 2019 05:35:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id siIxNLsmwUfW for <homenet@ietfa.amsl.com>; Wed, 12 Jun 2019 05:35:20 -0700 (PDT)
Received: from globis01.globis.net (92-111-140-212.static.v4.ziggozakelijk.nl [92.111.140.212]) by ietfa.amsl.com (Postfix) with ESMTP id 9082C120092 for <homenet@ietf.org>; Wed, 12 Jun 2019 05:35:20 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id 50A1B40166; Wed, 12 Jun 2019 14:35:19 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at globis01.globis.net
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 480IGTzAmCsj; Wed, 12 Jun 2019 14:35:16 +0200 (CEST)
Received: from MacBook-Pro-3.local (h9041.upc-h.chello.nl [62.194.9.41]) (Authenticated sender: v6ops@globis.net) by globis01.globis.net (Postfix) with ESMTPA id 30154400F9; Wed, 12 Jun 2019 14:35:16 +0200 (CEST)
To: Jacques Latour <Jacques.Latour@cira.ca>
Cc: Daniel Migault <daniel.migault@ericsson.com>, homenet <homenet@ietf.org>
References: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com> <cca26a8147924f1ab0d9447e3f083e0c@cira.ca>
From: "Ray Hunter (v6ops)" <v6ops@globis.net>
Message-ID: <4fea3a69-a009-908f-fb4d-dd388ea6090b@globis.net>
Date: Wed, 12 Jun 2019 14:35:14 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 PostboxApp/6.1.18
MIME-Version: 1.0
In-Reply-To: <cca26a8147924f1ab0d9447e3f083e0c@cira.ca>
Content-Type: multipart/alternative; boundary="------------A79816F9CAC27E8424488C40"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/uCJrg3lh7_mBzVwhioTIVDCYKJg>
Subject: Re: [homenet] [EXT] securing zone transfer
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2019 12:35:23 -0000

Thanks for the feedback.

 > first, the gateway does not know for sure which external NS are use 
by the secondary DNS service,

Agreed. The draft needs to address how the service is boot-strapped and 
auto-configred.

 > second the IPs of the WAN port might not be the internet facing IPs 
and this could break inbound connectivity

I hope that we're going to be able to move past IP filtering as the 
primary security mechanism for this draft.

Especially in the presence of renumbering.

regards,

Jacques Latour wrote on 11/06/2019 20:59:
>
> Daniel,
>
> In trying to setup our secure home gateway project to have the 
> external zone & primary DNS server setup and managed on the gateway 
> itself and to XFR back to secondary name servers somewhere turned out 
> not be functional or practical, first, the gateway does not know for 
> sure which external NS are use by the secondary DNS service, second, 
> the IPs of the WAN port might not be the internet facing IPs and this 
> could break inbound connectivity.  We’re looking at using dynamic DNS 
> updates for things that need internet connectivity, and have the 
> primary DNS server on the main land.   TSIG & DNS over TLS look like a 
> good option to look at.
>
> Jacques
>
> *From:*homenet <homenet-bounces@ietf.org> *On Behalf Of *Daniel Migault
> *Sent:* June 7, 2019 4:03 PM
> *To:* homenet <homenet@ietf.org>
> *Subject:* [EXT] [homenet] securing zone transfer
>
> Hi,
>
> The front end naming architecture uses a primary and a secondary dns 
> server to synchronize a zone. The expected exchanges are (SOA, NOTIFY, 
> IXFR, AXFR. We would like to get feed backs from the working group on 
> what are the most appropriated way to secure this channel.
>
> Options we have considered are TSIG, IPsec, TLS, DTLS. TSIG does not 
> provide confidentiality, and we would rather go for user space 
> security.  Are there any recommendation for using TLS or DTLS in that 
> case ?
>
> Any thoughts would be helpful.
>
> Yours,
>
> Daniel
>
>
>
> _______________________________________________
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet

-- 
regards,
RayH
<https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>

v2.23.0 | Report a Bug | By Email